ospfd: ospfd core if hello packet exceeds link MTU

Ospfd cored because of an assert when we try to write more than the MTU
size to the ospf packet buffer stream. The problem is - we allocate only MTU
sized buffer. The expectation is that Hello packets are never large
enough to approach MTU. Instead of crashing, this fix discards hello and
logs an error. One should not have so many neighbors behind an
interface.

Ticket: CM-22380
Signed-off-by: Nitin Soni <nsoni@cumulusnetworks.com>
Reviewed-by: CCR-8204

diff --git a/ospfd/ospf_errors.c b/ospfd/ospf_errors.c
index 566fc29202d13c121433d9970d5a5836230b3127..b912a80692e08ab86ebed53cfcfcdf4f4e9adc31 100644 (file)
--- a/ospfd/ospf_errors.c
+++ b/ospfd/ospf_errors.c
@@ -169,6 +169,15 @@ static struct log_ref ferr_ospf_err[] = {
                .description = "OSPF has attempted to change states when it should not be able to",
                .suggestion = "Gather log files and open an issue",
        },
+       {
+               .code = EC_OSPF_LARGE_HELLO,
+               .title = "OSPF Encountered a Large Hello",
+               .description = "OSPF attempted to send a Hello larger than MTU "
+                                          "but did not",
+               .suggestion = "Too many neighbors configured on a single interface."
+                                         " Suggestion is to decrease the number of neighbors on"
+                                         " a single interface/subnet"
+       },
        {
                .code = END_FERR,
        }

diff --git a/ospfd/ospf_errors.h b/ospfd/ospf_errors.h
index cea649a6f49a6993d7cfd308e0ad2eb1f4cb32b3..726f7d9c8b31e4f3f76425233249fc0b5ab04472 100644 (file)
--- a/ospfd/ospf_errors.h
+++ b/ospfd/ospf_errors.h
@@ -47,6 +47,7 @@ enum ospf_log_refs {
        EC_OSPF_LSA_MISSING,
        EC_OSPF_PTP_NEIGHBOR,
        EC_OSPF_LSA_SIZE,
+       EC_OSPF_LARGE_HELLO,
 };
 
 extern void ospf_error_init(void);

diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 3bb3b79a6a728481e75f041f88c5ad58cb786a3c..5320e77288a0570cf9f9e1efc969f7ec50976381 100644 (file)
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -3309,6 +3309,16 @@ static int ospf_make_hello(struct ospf_interface *oi, struct stream *s)
                                                                                .prefix4))
                                                                flag = 1;
 
+                                                       /* Hello packet overflows interface MTU. */
+                                                       if (length + sizeof(uint32_t)
+                                                               > ospf_packet_max(oi)) {
+                                                               flog_err(
+                                                                       EC_OSPF_LARGE_HELLO,
+                                                                       "Oversized Hello packet!"
+                                                                       " Larger than MTU. Not sending it out");
+                                                               return 0;
+                                                       }
+
                                                        stream_put_ipv4(
                                                                s,
                                                                nbr->router_id
@@ -3578,6 +3588,11 @@ static void ospf_hello_send_sub(struct ospf_interface *oi, in_addr_t addr)
 
        /* Prepare OSPF Hello body. */
        length += ospf_make_hello(oi, op->s);
+       if (length == OSPF_HEADER_SIZE) {
+               /* Hello overshooting MTU */
+               ospf_packet_free(op);
+               return;
+       }
 
        /* Fill OSPF header. */
        ospf_fill_header(oi, op->s, length);